How healthcare audit pros juggle risk-management priorities

Healthcare internal audit professionals are juggling multiple priorities as the digital landscape grows in the industry, according to a survey from the Association of Healthcare Internal Auditors (AHIA) and global consulting firm Protiviti.

"Healthcare internal audit departments and their organizations are working to adapt their risk management capabilities to address an increasingly digital enterprise amid so many challenges--including the introduction of health information exchanges and health insurance exchanges, constant regulatory uncertainty, HIPAA compliance audits, social media misuse, increased fraud activity and regulations, recoupment of Meaningful Use funds, ICD-10 changes, and much more," the report states, adding that those activities will only grow in value.

The report focuses on five priority areas:

  • Cybersecurity risks and practices
  • Regulatory compliance
  • Supporting, enabling and protecting the digital enterprise
  • Addressing fraud risks
  • Multi-stakeholder collaboration

The AHIA survey found that:

  • Confidence is generally lacking in organizations' cybersecurity capabilities, including identifying, assessing and mitigating cybersecurity risk
  • Improvement is needed in senior management awareness of information security exposures
  • One in three healthcare provider organizations lacks a cybersecurity risk strategy as well as a cybersecurity risk policy
  • Respondents rated their organization's ability to prevent a breach resulting from insider action at 6.7 on a 10-point scale.
  • The NIST Cybersecurity Framework represents a top priority for internal audits

NIST released its cybersecurity framework in February 2014, touting that it "uses a common language to address and manage cybersecurity risk in a cost-effective way." However, HIMSS has been pressing for more specific guidance on how healthcare organizations can use it.

To that end, when creating a hospital cybersecurity framework, Christopher Paidhrin, security administration and integrity manager in the compliance division of Pacific Northwest-based PeaceHealth, says it is important to do two things: Create a spreadsheet that can stimulate ideas and don't forget about business associates and vendors, including the flow of information into and out of the organization.

To learn more:
- read the report (.pdf)

Read more on